Accenture MDR Quick Start Guide for WSO2 Identity Server(IS) and API Manager (AM) Event collector (Generic TCP)

Owned by KS
Last updated: Nov 23, 2023
6 min read

This quick start guide will help Accenture Security customers configure WSO2 IS and AM to send logs to the Log collection Platform (LCP).

 

This document includes the following topics:

Supported Versions

A list of supported versions is available in the Accenture MDR Supported Products List document

(Accenture_MDR_Supported_Products_List.xlsx) which can be found at Accenture MDR Portal.

Port Requirements

Table 1-1: Port requirements for LCP communication.

Source

Destination

Port

Description

WSO2 IS and AM

LCP

10013 (TCP with Non-TLS) or

10014 (TCP with TLS)

Default port

Configuring WSO2 IS and AM

I. Configuring WSO2IS

ii. Configuring WSO2AM

Configuring WSO2IS

Audit logs are enabled in WSO2 Identity Server by default and below is the audit log configuration procedure.

  1. Navigate to Installed path of WSO2IS. The default path is <IS_HOME>/repository/conf/log4j2.properties.

  2. Update the following in the log4j2.and the file will be look like below

# Appender config to AUDIT_LOGFILE appender.AUDIT_LOGFILE.type = RollingFile appender.AUDIT_LOGFILE.name = AUDIT_LOGFILE appender.AUDIT_LOGFILE.fileName = ${sys:carbon.home}/repository/logs/audit.log appender.AUDIT_LOGFILE.filePattern = ${sys:carbon.home}/repository/logs/audit-%d{MM-dd-yyyy}.log appender.AUDIT_LOGFILE.layout.type = PatternLayout appender.AUDIT_LOGFILE.layout.pattern = [%d] %5p- %mm%ex%n appender.AUDIT_LOGFILE.policies.type = Policies appender.AUDIT_LOGFILE.policies.time.type = TimeBasedTriggeringPolicy appender.AUDIT_LOGFILE.policies.time.interval = 1 appender.AUDIT_LOGFILE.policies.time.modulate = true appender.AUDIT_LOGFILE.strategy.type = DefaultRolloverStrategy appender.AUDIT_LOGFILE.strategy.max = 20 appender.AUDIT_LOGFILE.filter.threshold.type = ThresholdFilter appender.AUDIT_LOGFILE.filter.threshold.level = INFO

  1. We need to configure the appender.AUDIT_LOGFILE.layout.pattern as mentioned in the above file, the meaning of the each directive as follows:

%d = Date

%5p = Log Level

%m%ex%n = Logging Details

  1. Log Level Can be matched from appender.AUDIT_LOGFILE.filter.threshold.level = INFO

NOTE: All the changes that are made to the log4j2.properties will be applied at run time. You don't need to restart the server after a configuration change in log4j2.properties.

HTTP ACCESS LOG

Configuring access logs for the HTTP servlet transport

  1.  Open the <IS_HOME>/repository/conf/deployment.toml file.

  2. Add the following configuration.
    time=%t remoteHostname=%h localPort=%p localIP=%A requestMethod=%m requestURL=%U remoteIP=%a requestProtocol=%H HTTPStatusCode=%s queryString=%q X-Forwarded-For=%{X-Forwarded-For}

  3. Restart the server. According to the configurations, a log file named http_access.{DATE}.log is created by default inside the <IS_HOME>/repository/logs directory. The log is rotated on a daily basis.

Configuring WSO2AM

  1. Audit logs are enabled by default in WSO2 API Manager (WSO2 API-M) via the following configurations, which are in the <API-M-HOME>/repository/conf/log4j2.properties file.

``` appender.AUDIT_LOGFILE.type = RollingFile appender.AUDIT_LOGFILE.name = AUDIT_LOGFILE appender.AUDIT_LOGFILE.fileName = ${sys:carbon.home}/repository/logs/audit.log appender.AUDIT_LOGFILE.filePattern = ${sys:carbon.home}/repository/logs/audit-%d{MM-dd-yyyy}.log appender.AUDIT_LOGFILE.layout.type = PatternLayout appender.AUDIT_LOGFILE.layout.pattern = [%d] %5p- %mm%ex%n appender.AUDIT_LOGFILE.policies.type = Policies appender.AUDIT_LOGFILE.policies.time.type = TimeBasedTriggeringPolicy appender.AUDIT_LOGFILE.policies.time.interval = 1 appender.AUDIT_LOGFILE.policies.time.modulate = true appender.AUDIT_LOGFILE.policies.size.type = SizeBasedTriggeringPolicy appender.AUDIT_LOGFILE.policies.size.size=10MB appender.AUDIT_LOGFILE.strategy.type = DefaultRolloverStrategy appender.AUDIT_LOGFILE.strategy.max = 20 appender.AUDIT_LOGFILE.filter.threshold.type = ThresholdFilter appender.AUDIT_LOGFILE.filter.threshold.level = INFO ```

  1. We need to configure the appender.AUDIT_LOGFILE.layout.pattern as mentioned in the above file, the meaning of the each directive as follows:

%d = Date

%5p = Log Level

%m%ex%n = Logging Details

  1. Log Level Can be matched from appender.AUDIT_LOGFILE.filter.threshold.level = INFO

 HTTP ACCESS LOG

Configuring access logs for the HTTP servlet transport

  1. Open the /repository/conf/deployment.toml file.

  2. Add the following configuration.

    [http_access_log] useLogger = true

  3. Open /repository/conf/log4j2.properties file:

  4. Add HTTP_ACCESS to the existing "appenders":

  1. Add HTTP_ACCESS to existing "loggers"

  1. Add logger configurations for HTTP_ACCESS log

  1. Add appender configurations for HTTP_ACCESS log

  1. Restart the server.

By Default the access logs related to service/API invocation are disabled for performance reasons on the device. We need to enable it by following configuration:

  1. Open <API-M_HOME>/conf/log4j2.properties file and add following configuration for PassThroughAccess logger.

  2. Append PassThroughAccess logger name to loggers configuration, which is a comma-separated list of all active loggers.

  3. Create a file named access-log.properties in <API-M_HOME>/repository/conf/ location with the following configuration and Please use the below template.

  4. You need to configure the access_log_pattern as mentioned above.

  5. Add the following configuration in the <API-M_HOME>/repository/conf/deployment.toml file.

  6. Restart the server.

NxLog Configuration

To configure Nxlog Agent, follow any one of the below options as per supported OS

Windows NxLog Agent for Non TLS TCP (Windows)

Windows NxLog Agent for Non TLS TCP (Linux RHEL 7 and CentOS 7)

Windows NxLog Agent for TLS TCP (Windows or Linux)

Steps to configure Windows NxLog Agent for Non TLS TCP Log flow on port 10013 - Windows

  1. Download and Install NxLog agent from Download

  2. Go to services.msc and stop the nxlog service

  3. Navigate to folder C:\Program Files (x86)\nxlog\data and delete configcache.dat

  4. For Windows Agent , go to installed location “C:\Program Files (x86)\nxlog\conf”. Rename attached NXLog.conf (Windows) to "nxlog.conf" and copy into this folder

  5. Replace LCP_IP_Address with actual LCP IP address in nxlog.conf

  6. Change Apache access.log file location on line 31

  7. Start the nxlog service from services.msc

  8. NxLog agent logs will be available at location "C:\Program Files (x86)\nxlog\data\nxlog.log"

  9. Log flow should work and you can check on tcpdump using command "tcpdump –AA port 10013"

Steps to configure Windows NxLog Agent for Non TLS TCP Log flow on port 10013 - Linux RHEL 7 and CentOS 7

  1. Download and Install NxLog agent from Download

  2. For Linux Agent, Navigate to installed location “/etc/nxlog.conf”. Rename below attached NXLog.conf(Linux).conf  to "nxlog.conf" and copy into this folder

  1. Replace LCP_IP_Address with actual LCP IP address in nxlog.conf

  2. Change Vault vault_audit.log file location on line 24

  3. Now start the nxlog service using below command

  1. NxLog agent logs will be available at location "/var/log/nxlog.log"

Steps to configure Windows NxLog Agent for TLS TCP Log flow on port 10014 (Windows and Linux)

  1. Download and Install NxLog agent from location Download

  2. Stop the nxlog service

    1. Go to services.msc and stop the nxlog service for windows. Navigate to folder C:\Program Files (x86)\nxlog\data and delete configcache.dat

    2. Enter the command systemctl stop nxlog for Linux

  3. Navigate to installed location.

    1. For Windows Agent , go to installed location “C:\Program Files (x86)\nxlog\conf”. Rename attached NXLog.conf (Windows) to "nxlog.conf" and copy into this folder

b. For Linux Agent, Navigate to installed location “/etc/nxlog.conf”. Rename below attached NXLog.conf(TLS).conf  to "nxlog.conf" and copy into this folder

Note: Please contact the Accenture MDR onboarding team to obtain the certificate

  1. Copy this certificate on Windows machine where nxlog agent is installed and mentioned this cert path in nxlog.conf against "CAFile" on line number 47. 

  2. Copy this certificate on Linux machine where nxlog agent is installed and mentioned this cert path in nxlog.conf against "CAFile" on line number 28. 

  3. Replace LCP_IP_Address with actual LCP IP address in nxlog.conf

  4. Change Apache access.log file location on line 32 on Windows

  5. Change Apache access.log file location on line 24 on Linux

  6. Start the nxlog service

    1. Now start the nxlog service from services.msc for windows

    2. Now start the nxlog service using command -systemctl start nxlog for Linux

  7. NxLog agent logs will be available at location "C:\Program Files (x86)\nxlog\data\nxlog.log" for windows

  8. NxLog agent logs will be available at location "/var/log/nxlog.log" for Linux

  9. Log flow should work and you can check on tcpdump using command "tcpdump –AA port 10014"

LCP Configuration Parameters

Table 1-2: The WSO2 IS and AM event collector (Generic TCP-4029) properties to be configured by MDR are shown in the table.

Property

Default Value

Description

Protocol

TCP

The default protocol for syslog.

IP Address

WSO2 IS and AM Interface IP address

Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ).

Note: If the device sends logs using multiple interfaces, contact the MDR onboarding team.

Port Number

TCP/10013

or TCP/10014

The default port for TCP.

Note: The LCP can be configured to listen on a non-standard port, please advise the Accenture MDR onboarding team if this is a requirement.

Legal Notice

Copyright © 2021 Accenture. All rights reserved.

Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.